Amid the debates regarding economy, sovereignty and border control, neither side's EU Referendum campaign – perhaps unsurprisingly – made any mention whatsoever out of the Cinderella issue of data protection. Nevertheless for UK businesses (as well as practitioners) the prospect of what would happen to the General Data Protection Regulation (GDPR) in the event of Brexit has proved an interesting sideshow. Now we face the reality of the UK leaving the EU, subject to the present political uncertainty, the focus on the issue has become sharper. It is also a microcosm of some of the legislative and regulatory issues that face government in the coming 24 months, if not longer.
Conventional wisdom has been, and persists, that the direction of travel for data protection law in this country is towards the GDPR standard. It was always true that – remain or leave – organisations wanting to do business in Europe would need to be compliant with the pan-EU standard (to meet 'adequacy' requirements), and that the domestic legal standard would likely be brought in line. The UK would after all not wish to be on the wrong end of a Schrems-style judgment by the CJEU.
With the leave result confirmed, putting aside for now the prospect of an extended stalemate, a more technical analysis comes into play. The GDPR "start date" of 25 May 2018 is already marginally ahead of the two-year transition allowed for once Article 50 of the Lisbon Treaty is invoked, even assuming notice was given tomorrow. However, it would be a very odd outcome for any government to allow a month-long period where the legislation was directly effective on UK business and then dropped for good. Parliament will be making its own transitional arrangements which may or may not mean incorporating the existing GDPR into domestic law or, at least, the application of the same heightened legal standard in important concepts such as consent, data subject rights and so on. In the meantime the Data Protection Act 1998 – despite its origin in a European directive – remains effective, a point the ICO was keen to make in its statement on Friday.
Continuing to phase in GDPR standards gradually remains a sensible approach for data controllers, although organisations will be forgiven for holding back business-critical decisions until there is greater clarity. In other areas, such as the charity and fundraising sectors, there is already regulatory pressure to adopt a higher standard of consent. What is uncertain is whether all the minutiae of the GDPR's provisions – data breach reporting to the national Data Protection Authority within 72 hours, for example, or the adoption of mandatory Data Protection Officers in certain organisations – will be considered sufficiently central to protecting "the fundamental rights and freedoms" of EU citizens that Member states will not be able to do business with the UK (or what is left of it) without them.
There are also curious pockets of potentially significant impact arising from Brexit which are not directly tied to the GDPR question. The Court of Appeal's judgment in Vidal-Hall v Google, for example, hinged on the compatibility of section 13 of the Data Protection Act (which in a literal reading did not allow data subjects to claim damages for distress without financial loss) with the right to effective remedy for privacy and data rights protected under the European Union Charter of Fundamental Rights. The CA's ruling, that s.13(2) should be disapplied and financial claims brought for distress alone, is currently under appeal to the Supreme Court, and could certainly be overturned if judgment was made in a jurisdiction where the Charter no longer had direct effect.
This may be of relief to media organisations and others, as would the potential lifting or softening of the Environmental Information Regulations 2004 – fiendishly difficult to navigate and comply with (and appropriately unpopular among some of the public bodies affected).
Overall, it would be wrong to assume that the Brexit vote marks a turning of the tide in information law and data protection in particular. Nevertheless that door of possibility is now ajar if a future administration decides that doing away with "red tape" and "box ticking" is more important for our economy than aligning our position with trading partners in the EU.
Click here to read more posts from Information Matters.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected]; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Intellectual Property and Technology page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2016